‘DarkGate’ miner, password-stealer could open up world of hurt for Windows users

Windows users in Europe have recently been the target of a sophisticated malware campaign that provides attackers with a diverse array of capabilities, including cryptomining, credential stealing, ransomware and remote-access takeovers.

Named DarkGate by its developer, the malware is reportedly distributed via Torrent files disguised as popular entertainment offerings — including the Spanish basketball dramedy Campeones and the zombie drama The Walking Dead. But these files actually execute malicious VBscripts on those who download them. Upon infection, the first malware’s interaction with the C2 server commences the mining process, but from there DarkGate has the potential to carry out additional attacks.

So far, the campaign has focused largely on users in Spain and France, according to a Nov. 13 blog post from endpoint security company enSilo, whose researcher Adi Zeligson discovered the threat on Dec. 27, 2017.

Researchers say that DarkGate appears to be closely related to a previously known password-stealer called Golroted.

DarkGate’s password-stealing component uses NirSoft tools to swipe user credentials, browsers cookies, browser history and Skype chats, enSilo reported. But the attackers seem to clearly favor cryptocurrency credentials, reported blog post authors Zeligson and fellow researcher Rotem Kerner, as the malware “looks for specific strings in the names of windows in the foreground that are related to different kinds of crypto wallets” used for trading on various crypto applications and websites.

Aside from its versatility, DarkGate is also notable in that it practices the act of process hollowing — the act of loading a legitimate process onto a system in order to use it as a wrapper to conceal malicious code. DarkGate abuses the processes vbc.exe or regasm.exe for this purpose, the blog post explains.

The malware also relies on UAC (User Account Control) bypass capabilities to elevate its privileges. For this, it employs two distinct tricks, exploiting both the scheduled task DiskCleanup and the legitimate process file eventvwr.exe, aka the Event Viewer Snapin Launcher.

Another of DarkGate’s remarkable traits is its human-powered, “reactive” C2 infrastructure, which is staffed by actual people. These operators “act upon receiving notifications of new infections with crypto wallets,” reported blog post authors Zeligson and fellow researcher Rotem Kerner. Additionally, “When the operator detects any interesting activity… they then proceed to install a custom remote access tool on the [infected] machine for manual operations.”

DarkGate deceptively attempts to hide its C2 infrastructure by disguising its malicious servers as known legitimate services, including Akamai CDN or AWS. The malware also takes measures to avoid detection by monitoring for conditions typically found in a sandbox or VM environments ,as well as by checking for the presence of specific AV solutions.

In an email interview with SC Media, an enSilo spokesperson said the researchers believe that the attackers “aim for targets which will maximize their monetary gain and as such prefer to reach valuable targets; for example, organizations with significant computing resources.”